RNDC fails when using keys with different algorithms within a control channel.
Ref: https://support.isc.org/Ticket/Display.html?id=18569
A customer who is planning to change 'rndc' key algorithm from md5 to sha256, reports that in a list of keys configured in a single 'inet' block, the first-listed key work properly, subsequent keys using the same algorithm will also work, while later keys with different algorithms will fail.
BIND version used
9.16.15, also confirmed on 9.11.31
Steps to reproduce
Keys with differing algorithms, e.g.: md5 and sha256, and BIND configuration containing the keys in a control channel:
acl "rndc-users" {
192.168.12.100/32;
192.168.12.82/32;
};
key "key1" {
algorithm "hmac-sha256";
secret "????????????????????????????????????????????";
};
key "key2" {
algorithm "hmac-md5";
secret "????????????????????????";
};
.
.
.
controls {
inet 192.168.12.95 allow {
"rndc-users";
} keys {
"key1";
"key2";
};
};Same key material in rndc.conf on remote hosts referenced by the 'rndc-users' ACL.
What is the current bug behavior?
First key in the list will work properly, as well as any other keys using the same algorithm. A key in the list of a different algorithm will fail, and also any subsequent keys based on the algorithm of the first key.
rndc fails with the error:
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized,
* the key signing algorithm is incorrect, or
* the key is invalid.A workaround is to set up another control channel on a different port, so each channel only has keys of the same algorithm.
What is the expected correct behavior?
Customer expected both old and new keys to be functional.
Specific keys and config are in Support ticket linked above, but this problem is reproducible with any similar situation.